System for managing a network

ABSTRACT

In an integrated management system for providing a network system having a plurality of computers with a security function and managing a plurality of target products, implementation of the management system itself is facilitated by providing the management system with setting information templates prepared for respective target products, a management program for managing setting information files of target products actually used in a target network, an edit program for editing setting information files, and an install program for installing setting information files created by using the management program and the edit program in respective target devices.

BACKGROUND OF THE INVENTION

[0001] The present invention relates to a technique for implementing a management system that manages devices used to provide a network system including a plurality of computers with security functions.

[0002] Heretofore, various management systems for managing a plurality of devices have been developed for network systems each including a plurality of computers.

[0003] For example, a network management system described in JP-A-2000-244495 provides a mechanism for automatically generating and setting security setting of individual routers and firewall apparatuses included in a system.

[0004] In W. C. Goers and M. R. Brenner, “Implementing a Management System Architecture Framework,” Bell Labs Tech. J., Vol. 5, No. 4, October-December 2000, pp. 31-43, there is a description concerning implementation of an integrated management system for managing network devices by using a Web browser.

[0005] These techniques aim at providing techniques for efficiently managing a plurality of devices included in a network system. However, for newly adding a device that is not a management subject, as a management subject, it is necessary to improve the management system.

[0006] As devices that form a network system and software that operate on the devices, various new products (hardware, software, or both of them) are developed one after another. In order to make those new products new subjects of the management, therefore, it is necessary for the management system to frequently effect improvements.

[0007] The conventional management systems have a problem that it takes time and costs to add new products to management subjects because attention is not paid to the expansion.

SUMMARY OF THE INVENTION

[0008] The present invention provides an integrated management system having the following components:

[0009] (1) a setting information template (referred to also as model) for forming the basis of setting a target product (hardware or software), and a management program for managing setting information files of target products actually used in a target network;

[0010] (2) an edit program for editing a setting information file, which is desired to be a dedicated edit program prepared for each target product; and

[0011] (3) an install program for installing a setting information file created by using the management program and the edit program in each target device, which is desired to a dedicated install program prepared for each target product.

[0012] It is desired that the management program of (1) manages the edit program and the install program every target product.

[0013] In the case where the target product is software, a version change due to improvement or the like might cause a partial change in setting contents and consequently a version up of the management program as well becomes necessary in some cases. According to the present invention, it becomes possible to reduce the labor required for making a new device that does not correspond to the management system or software of a new version a target. And it becomes easy to expand the management system.

[0014] Other objects, features and advantages of the invention will become apparent from the following description of the embodiments of the invention taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

[0015]FIG. 1 is a diagram showing a general configuration of an integrated network management system;

[0016]FIG. 2 is a diagram showing configurations of an integrated management server and a target server;

[0017]FIG. 3 is a diagram showing an example of a setting information template used by an integrated management system;

[0018]FIG. 4 is a diagram showing an example of a setting information file used by an integrated management system;

[0019]FIG. 5 is a diagram showing a flow of processing for installing a setting information file of a target product;

[0020]FIG. 6 is a diagram showing a configuration method of an edit program implemented by using a Web technique;

[0021]FIG. 7 is a diagram showing an example of a screen used by an edit program corresponding to an XML format file; and

[0022]FIG. 8 is a diagram showing a configuration method of an edit program that lightens work of editing configuration items of a target product.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0023] Hereafter, embodiments of the present invention will be described by taking the case where software products are management target products as an example with reference to FIGS. 1 to 8.

[0024]FIG. 1 is a diagram showing a general configuration of an integrated management system of the present embodiment. The integrated management system includes a network 101, an integrated management server 102, target servers 103-1 to 103-3. The target servers as a whole are generally denoted by 103.

[0025] In the present embodiment, not only a local network but also a wide area network such as the Internet can be used as the network 101.

[0026]FIG. 2 is a diagram showing configurations of the integrated management server 102 and the target server 103.

[0027] In the configuration of the integrated management server 102, reference numeral 201 denotes a CPU and 202 denotes a network communication interface. Reference numeral 203 denotes an external storage device. The external storage device 203 stores at least one setting information template 2031 each prepared per target product, and at least one setting information file 2032 of target products actually used in the target network.

[0028] The setting information template 2031 is a model for creating the setting information file 2032. In the setting information file 2032, configuration item values of the setting information template 2031 have been fixed.

[0029] Reference numeral 204 denotes a memory. An operating system (OS) 2041 is stored in the memory 204. As programs operating on the operating system 2041, there are disposed in the memory 204 a management program 2042 for managing the setting information template 2031 and the setting information file 2032, at least one edit program 2043 for editing the setting information file 2032 each prepared per target product, and a communication program 2044 to be used for communication with a target server.

[0030] In the configuration of the target server 103, reference numeral 205 denotes a CPU, and reference numeral 206 denotes a network communication interface. Reference numeral 207 denotes an external storage device. A setting information file 2071 is stored in the external storage device 207. Reference numeral 208 denotes a memory. An operating system (OS) 2081 is disposed in the memory 204. As programs operating on the operating system 2081, there are disposed, in the memory 208, target products 2082, an install program 2083 for installing the setting information file in the target product 2082, and a communication program 2084 to be used for communication with the integrated management server.

[0031] Programs to be executed by the CPU 201 and the CPU 205 may be introduced into the integrated management server 102 or the target server 103 via a storage medium or a communication medium on the network.

[0032] The setting information template 2031 is a collection of configuration items of the target products 2082. For example, as exemplified in 301 of FIG. 3, the setting information template 2031 can be defined as a file of XML (eXtensible Markup Language) format.

[0033] In this case, each configuration item can be defined as an element of the XML. Each item name can be associated with a tag, and its item value can be associated with a text node. A format of an element of the XML corresponding to each configuration item is as follows:

[0034] <item name>value=“configuration item value”</item name>

[0035] If there is a default value as a configuration item value, the default value is entered in the configuration item value as shown in 302. If the default value is not determined, a blank is entered in the configuration item value as shown in 303. If patterns of a value which can be assumed as a configuration item value are determined and a selection is effected out of them, then elements of the same tag are arranged a plurality of times and entered as shown in 304. As for an element selected by a default, flg=“1” is added after the configuration item value as an attribute value at this time. For other elements, flg=“0” is added. As a result, it becomes possible to identify the default value.

[0036] The XML format file 301 shown in FIG. 3 is an example of the setting information template for a firewall system. The XML format file 301 includes a “rulebase” tag that defines information concerning an access control rule, and a “property” tag that defines information concerning a property.

[0037] The “rulebase” tag includes elements according to the following tags:

[0038] source tag, which defines a transmission source IP address;

[0039] destination tag, which defines a transmission destination tag;

[0040] service tag, which defines a TCP/IP service name;

[0041] action tag, which defines an action to be effected when the IP address and service match between the transmission source and the transmission destination, and which is “accept” when accepting communication, and “deny” when denying communication;

[0042] logdata-type tag, which defines a type of data output as a log;

[0043] install-point tag, which specifies a computer that executes the access control rule; and

[0044] time tag, which specifies an effective time zone of the rule.

[0045] The “property” tag includes elements according to the following tags:

[0046] check-timing tag, which specifies rule check timing in internal processing of the firewall; and

[0047] timeout tag, which specifies time of connection timeout.

[0048] In the setting information file 2032, configuration item values of the setting information template 2031 have been fixed. For example, as exemplified in 401 of FIG. 4, the setting information file 2032 can be defined as an XML format file.

[0049] In the case of a configuration item having no default value as shown in 303 of FIG. 3 in the setting information file 2032, rewriting is conducted so as to have the default value filled in.

[0050] In the case of a configuration item for which patterns of a value which can be assumed as a configuration item value are determined and a selection is effected out of them, flg=“1” is added to the selected element as an attribute value and flg=“0” is added to other elements. As a result, it becomes possible to identify the selected value.

[0051] In the setting information file 2032, it is also possible to newly define and use an attribute value in order to describe setting information.

[0052]FIG. 5 is a diagram showing a flow of processing conducted when installing a setting information file of the target product 2082 by using the integrated management system of the present embodiment.

[0053] In accordance with a request from a network manager, who is a user, the integrated management system conducts the following series of operations on the integrated management server 102:

[0054] reference numeral 501 denotes a step at which the management program 2042 accepts an edit request of the setting information file 2032 of the target product 2082 from a user;

[0055] reference numeral 502 denotes a step at which the management program 2042 starts the edit program 2043 corresponding to the target product 2082;

[0056] reference numeral 503 denotes a step at which the edit program 2043 loads the setting information template 2031 of the target product 2082 from the external storage device 203;

[0057] reference numeral 504 denotes a step at which the user customizes configuration items of the target product 2082 by using the edit program 2043;

[0058] reference numeral 505 denotes a step at which the edit program 2043 saves the setting information file 2032 of the target product 2082;

[0059] reference numeral 506 denotes a step at which the management program 2042 starts the communication program 2044, and establishes a communication path to each target server 103; and

[0060] reference numeral 507 denotes a step at which the communication program 2044 transfers the setting information file 2032 saved at the step 505 to each target server 103.

[0061] Furthermore, in the integrated management system, each target server 103 previously starts the communication program 2084, which accepts a communication request from the integrated management server 102, and conducts the following series of operations:

[0062] reference numeral 508 denotes a step at which the communication program 2084 accepts a communication request from the integrated management server 102;

[0063] reference numeral 509 denotes a step at which the communication program 2084 receives the setting information file 2032 of the target product 2082;

[0064] reference numeral 510 denotes a step at which the communication program 2084 starts the install program 2083 and delivers the received setting information file 2032 to the install program 2083; and

[0065] reference numeral 511 denotes a step at which the install program 2083 rewrites the setting contents of the target product 2082.

[0066] By carrying a series of operations shown in FIG. 5, setting operations of a target product can be effected in an integrated management system of the present embodiment.

[0067] The edit program 2043 of the present embodiment is a program that supports the user in customizing the setting values of configuration items described in the setting information template 2031. A configuration item and an edit screen in which the setting default value (initial value) is previously set are displayed on a computer used by the user.

[0068] If the setting information template 2031 is using the XML format, then it is also possible to convert the layout of a displayed screen to an HTML format with the XSL (eXtensible Stylesheet Language) and construct an edit screen on the Web browser, by using the Web technique.

[0069]FIG. 6 is a diagram showing a construction method of the edit program 2043 implemented on the integrated management server 102 by using such a Web technique.

[0070] Reference numeral 601 denotes a Web browser program, 602 a Web server program, 603 at least one CGI program started by the Web server program 602, and 604 an XSL file for creating the screen layout. The Web server program 602, the CGI program 603, and the XSL file 604 are implemented on the integrated management server 102.

[0071] The Web browser program 601 may be disposed on another client computer that can communicate with the integrated management server with the TCP/IP.

[0072] If the URL of the setting information template 2031 of the XML format is specified in the Web browser program 601, then the Web server program 602 transmits the setting information template 2031 and the XSL file 604 to the Web browser program 601. The Web browser program 601 interprets the setting information template 2031 in accordance with the contents of the XSL file 604, and generates and displays a form screen for editing the configuration items. In the form screen, items for starting the CGI program 603 are arranged. The user can start a specified CGI program 603 by selecting an item.

[0073] As for the CGI program 603, there are a program for transferring a local file to the integrated management server 102, a program for outputting parameters of the configuration items edited on the form to the setting information file 2032, and a program for calling the communication program 2044 and transferring the setting information file 2032 to the target server 103.

[0074]FIG. 7 is a diagram showing an example of a screen used by the edit program 2043 corresponding to the XML format file 301 as the setting information template 2031.

[0075] Reference numeral 701 denotes a list for describing the access control rule. Reference numeral 702 denotes a button for adding an entry of the access control rule. Reference numeral 703 denotes a button for deleting an entry of the access control rule. If the addition button 702 is depressed, a CGI program 603 for adding one entry of the access control rule is started.

[0076] Furthermore, the list 701 has check buttons. If a deletion button 703 is depressed in a checked state, a CGI program 603 for deleting the entry is started.

[0077] Reference numerals 704 and 705 denote regions for setting properties. In the region 704, an inspection timing property is set. In the region 705, a timeout property is set. If patterns of a value which can be assumed as a configuration item value are determined as in the inspection timing property and a selection is effected from them, the patterns are displayed as a selection list as shown in 704.

[0078] If a default value is predetermined as in timeout, a default value is displayed beforehand as shown in 705. Reference numeral 706 is a button to be used after customizing of each field has been finished. By depressing this button, a CGI program 603 for generating the setting information file 2032 is started.

[0079] As shown in FIGS. 6 and 7, it becomes possible in the present embodiment to manage a new target product in the integrated management server 102 by adding the following that corresponds to the target product to be added:

[0080] setting information template;

[0081] XSL file 604; and

[0082] CGI program 603.

[0083] Furthermore, by preparing an install program 2083 on the target server 103 side, a new target product can be added to the integrated management system of the present embodiment.

[0084] As heretofore described, in the present embodiment, it becomes possible to easily add a new target product to the integrated management system.

[0085] The configuration method of the edit program 2043 shown in FIG. 6 may be altered as shown in FIG. 8.

[0086] That is, a plurality of kinds of setting information templates 2031 having setting suitable default values, such as a plurality of settings corresponding to security policies of the user, are prepared. In addition, a CGI program 603 for making it possible for the user to effect a selection on these setting information templates is added.

[0087] As a result, it becomes possible to make only necessary items selectable and make items that have become unnecessary in setting unenterable. In addition, it becomes possible to implement various kinds of setting without omission and avoid unnecessary setting. It becomes possible to lighten the user's work of editing the configuration items of the target product.

[0088] In addition, instead of preparing a setting information template 2031 for each target product 2082, category-classified setting information templates 801 associated with kinds of target products, such as firewall products and intruder detection systems, and converters 802 for compensating different parts for respective products and creating information templates of respective products may be provided.

[0089] In the development of the integrated management system, the present embodiment brings about an effect that development items required when adding a target product are defined definitely and they can be implemented as independent modules, and an effect that the user's work of editing the configuration items of the target product.

[0090] As heretofore described, when expanding the management system in order to newly add a device that is not a management target or a new version as a management target,

[0091] (1) definition of a template of a setting information file, which becomes a basis for setting a target product,

[0092] (2) development of an edit program for editing the setting information file, and

[0093] (3) development of an install program for installing the setting information file are conducted and then work of incorporating them into the management system is conducted.

[0094] Since this work can be conducted independently every individual target and the same technique can be applied to respective targets, it becomes easy to expand the management system.

[0095] Furthermore, since in the management system according to the present invention alteration procedures of setting contents for various targets are made common, it becomes possible to lighten the user's work.

[0096] It should be further understood by those skilled in the art that although the foregoing description has been made on embodiments of the invention, the invention is not limited thereto and various changes and modifications may be made without departing from the spirit of the invention and the scope of the appended claims. 

We claim:
 1. An integrated management system for managing a plurality of target products used to provide a network system having a plurality of computers with a security function, the integrated management system comprising: a setting information template for forming a basis of setting a target product to be added to the network system; an edit program for editing a setting information file based on the setting information template, in association with the target product; an install program for conducting setting of the target product in accordance with the setting information file; and a management program for managing the setting information file created based on the setting information template, wherein the target product is managed by using the setting information template and the setting information file.
 2. The integrated management system according to claim 1, wherein the integrated management system comprises an integrated management server connected to a network, and a plurality of target servers, the edit program and the management program are disposed in the integrated management server, the install program is disposed in the target servers connected to the network, and the install program installs the created setting information file in the target servers.
 3. The integrated management system according to claim 2, wherein the target product is software that operates on the target servers.
 4. The integrated management system according to claim 3, wherein the setting information template and the setting information file are defined by using an XML form.
 5. The integrated management system according to claim 1, wherein the edit program comprises a browser program, a server program, a CGI program started by the server program, and an XSL file for creating a screen layout.
 6. The integrated management system according to claim 5, wherein the browser program is disposed on another client computer that can communicate with the integrated management server.
 7. The integrated management system according to claim 1, wherein setting information that functions as a basis for a product category to which the target product belongs is described in the template, and the integrated management system further comprises a converter for creating a setting information template for the target product from the setting information template. 